You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2005 >>
[2005] EPICAlert 21
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 12.20 [2005] EPICAlert 21
EPIC ALERT
Volume 12.20 October 6, 2005
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_12.20.html
Table of Contents
[1] EPIC FOIA Note: Travelers Struggle With Watch List Errors
[2] FCC to Apply Wiretap Law to Broadband, VoIP
[3] US-VISIT's Travel ID Plan Still Has Security, Privacy Risks
[4] EPIC Unveils Page About Theme Parks and Privacy
[5] Congress Demands Limits on "Sensitive Security Information"
[6] News in Brief
[7] EPIC Bookstore: Dan Tynan's "Computer Privacy Annoyances"
[8] Upcoming Conferences and Events
[1] EPIC FOIA Note: Travelers Struggle With Watch List Errors
Documents obtained by EPIC under the Freedom of Information Act shownearly a hundred complaints from airline passengers about thegovernment's traveler screening security measures. The most commoncomplaint
from travelers is that they have been wrongly placed on agovernment watch list.
The Transportation Security Administration maintains "selectee" and "nofly" watch lists of individuals suspected of posing a risk
to air travelsafety. When a passenger checks in for a flight, he may be labeled athreat if his name matches an entry on one of the
watch lists, even ifhe is not the person actually on the list. People who are identified aswatch list matches may experience long
screening delays or not beallowed to board the plane.
EPIC posted the documents on its Web site in recognition ofInternational Right to Know Day on September 28. On that day in 2002,freedom
of information organizations from around the world establishedthe Freedom of Information Advocates Network. The coalition, nowcomposed
of more than 90 organizations on four continents, continues topromote the adoption of freedom of information laws throughout the
worldand the recognition of the right to know as a fundamental human right.
EPIC FOIA Note #8:
http://www.epic.org/foia_notes/note8.html
More EPIC FOIA documents on watch lists:
http://www.epic.org/privacy/airtravel/foia/watchlist_analysis.html
Freedom of Information Advocates Network:
http://www.foiadvocates.net
EPIC International Right to Know Day press release:
http://www.epic.org/press/092805.html
[2] FCC to Apply Wiretap Law to Broadband, VoIP
On September 23, the Federal Communications Commission issued an orderand notice of proposed rulemaking stating that the federal wiretap
lawapplies to broadband Internet service providers and voice over IP (VoIP)
services. The 1994 wiretap law, known as CALEA (the CommunicationsAssistance for Law Enforcement Act) required telephone companies
toprovide easy access for law enforcement agencies to tap customers'
lines.
The new FCC order means that broadband service providers and providersof VoIP services that are capable of connecting to the regular
telephonenetwork ("interconnected VoIP") must also create systems that thegovernment can wiretap. The FCC reached this conclusion
despite the factthat CALEA originally applied only to "telecommunications carriers" andexcluded "information services"from its scope.
The FCC justified this expansion by citing a previously unused portionof CALEA that authorized the FCC to apply CALEA to any "wire
orelectronic communication switching service," so long as that service "isa replacement for a substantial portion of the local telephone
exchangeservice and. . . it is in the public interest to do so." The FCC citedto this, saying many use broadband and VoIP services
to at leastpartially replace traditional telephone use. The FCC also argued thatthe exclusion of "information services" from CALEA
does not applybecause the agency interprets the definitions of "telecommunications"
and "information services" differently for CALEA than it does for theCommunications Act.
On the same day as the Order was issued, the FCC released a policystatement that outlined the FCC's belief that "consumers are entitledto
run applications and use services of their choice, subject to theneeds of law enforcement." This announcement indicates the potentialfor
wiretap provisions to expand into an even wider variety ofcommunications methods. The final breadth of this expansion remains tobe
seen.
FCC Order and Further Notice of Proposed Rulemaking (pdf):
http://ftp.fcc.gov/FCC-05-153A1.pdf
FCC Policy Statement (pdf):
http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-151A1.pdf
2003 EPIC Letter to Chairman Michael Powell on VoIP Regulation:
http://www.epic.org/privacy/voip/fccltr12.15.03.html
EPIC Wiretap Page:
http://www.epic.org/privacy/wiretap/
[3] US-VISIT's Travel ID Plan Still Has Security, Privacy Risks
In comments to the Department of Homeland Security, EPIC again has urgedthe agency to abandon a flawed proposal to embed Radio FrequencyIdentification
tags in the Form I-94 or Form I-94W, which is theArrival-Departure record issued to a traveler to the United States. Theplan lacks
basic privacy and security safeguards, and these costssubstantially outweigh the limited timesaving benefits, EPIC said.
Under US-VISIT, foreign visitors are subject to biometric collection,biographic data collection, and watch list checks. The informationcollected
from individuals includes name, date of birth, country ofcitizenship, passport number and country of issuance, complete U.S.
destination address, and digital fingerscans.
The wireless travel ID plan contains a significant risk of unauthorizedaccess. Although DHS states that the RFID tags will only carry
a uniqueidentification number, which will not contain any personallyidentifiable information, the ID numbers are linked to data files,
andare subject to interception. The ID number is the key that permitsaccess to records in the US-VISIT system.
Another significant security risk is that of clandestine tracking. RFIDis an invisible technology. It allows a person's information
to beaccessed without his or her knowledge. Anytime a visitor is carrying hisI-94 RFID-enabled form, his unique identification number,
which islinked to his individual biographic information, could be accessed byunauthorized individuals. So long as the RFID tag or
chip can be read byunauthorized individuals, foreign visitors could be identified andtracked.
EPIC has submitted a series of comments on database proposals undertakenby DHS regarding the development of the US-VISIT program.
Most recentlyin August, EPIC urged DHS abandon the RFID plan because the problemswith the proposal are very similar to the problems
found in the StateDepartment's flawed proposal to include RFID tags in U.S. passports. TheState Department is reassessing the plan
after receiving a storm ofcriticism from civil liberties, security and privacy groups, includingEPIC.
EPIC's recent comments (pdf):
http://www.epic.org/privacy/us-visit/100305_rfid.pdf
EPIC's Aug. 4, 2005 comments (in html and pdf):
http://www.epic.org/privacy/us-visit/comments080405.html
http://www.epic.org/privacy/us-visit/comments080405.pdf
EPIC's US-VISIT Page:
http://www.epic.org/privacy/us-visit/
EPIC's RFID Page:
http://www.epic.org/privacy/rfid/
[4] EPIC Unveils Page About Theme Parks and Privacy
EPIC has created an issue page on theme parks and privacy to act as asingle source of information for consumers to learn more about
privacyissues surrounding theme parks. The page provides information on themeparks' growing use of biometrics and other surveillance
technology forcommercial purposes.
For instance, fingerprint scans are now being used to keep track ofvisitors who enter and exit theme parks such as Walt Disney World.
OnJanuary 2, all current Disney World admission passes began usingfingerprint scans as a means to track customers entering Disney
themeparks. Each park visitor is asked to make the peace sign and then placethe fingers into a fingerprint reader. The digital fingerprintinformation
is stored and used to match visitors with their park pass.
All individuals who are 10 years of age or older are asked to providetheir fingerprints for scanning. However, children younger than
ten havealso been participating in this customer identification program.
Unfortunately, many visitors to the theme parks are not aware of the newpolicy. They are not informed that their fingerprint information
hasbeen scanned and retained. Customers were not provided with informationon how long the fingerprint information would be retained,
nor whetherthe information collected would be used for other purposes other thanthe control of admission to the theme park.
Another theme park profiled on the page is DestiNY USA, which is underconstruction in the state of New York. This commercial center
and themepark has been advertised as a place where marketers can study consumersinteracting within a "living laboratory." The park
claims that it has"built in the access and capacity for partner companies to monitor andcontinuously improve their products and services
as they are being usedby millions of visitors."
The two parks highlighted are not the only theme parks using biometricsand surveillance technology to monitor visitor access and activitywithin
parks. As technologies that were once considered inappropriatefor use on the general public become more available, park visitors
mustbe on guard for additional threats to their privacy.
EPIC's Theme Park Page:
http://www.epic.org/privacy/themepark/
[5] Congress Demands Limits on "Sensitive Security Information"
In a conference report on the 2006 Homeland Security Appropriations Act,Congress instructed the Department of Homeland Security to
createclearer and more consistent procedures for determining what documentsare to be considered "sensitive security information,"
or SSI. Whilesuch documents are unclassified, they are still withheld as being toosensitive to release publicly. Among the documents
considered SSI areairport security plans, specifications for screening devices, andvulnerability studies. However, in recent years,
the category hasexpanded to include "security directives" and any "other information"
within an agency's discretion. For instance, Transportation SecurityAdministration employees have cited SSI to refuse to tell airlinepassengers
why they were being searched.
The Congressional report sought to curb the proliferation of SSI inareas that should be in the public domain. The report requires
eachoffice within Homeland Security to have a specific official who willdesignate documents as SSI. Congress also requires the Secretary
ofHomeland Security to give the titles of all SSI documents to Congress inan annual report.
This July, EPIC won a battle with the Department of Homeland Securityand the Transportation Security Administration over SSI designations.
Afederal court found that government agencies cannot withhold informationsimply by designating it SSI, without any further description.
Thoughfederal agencies "are not required to describe the withheld portions inso much detail that it reveals the sensitive security
informationitself," the court said they are required to "provide a more adequatedescription" to explain why material is not made
public. EPIC filed aFreedom of Information Act suit to force DHS, TSA and the FBI to releasedocuments detailing the agencies' efforts to obtain airline passengerinformation. Though
the court found that the FBI had conducted anadequate search for documents, and TSA and DHS had properly withheldsome material, the
court ordered DHS and TSA to provide more detailedjustification for numerous withholdings.
Excerpts from the Conference Report:
http://www.fas.org/sgp/congress/2005/dhs-ssi.html
Full text of the Conference Report on the 2006 Homeland Security Act:
http://thomas.loc.gov/cgi-bin/query/F?r109:1:./temp/~r109JzAsa6:e0:
Opinion in EPIC FOIA Case (pdf):
http://www.epic.org/privacy/airtravel/passengerdata/epic_v_dhs.pdf
[6] News in Brief
Spotlight: Registered Traveler Program Creates Private ID System“Spotlight on Surveillance” turns to the Registered Traveler airpassenger
prescreening program run by Verified Identity Pass, Inc.
Travelers pay $80 per year and submit personal data, including SocialSecurity numbers, fingerprints, and iris scans, to the company
for theprivilege of a “fast pass” through airport security. The program mayexpand beyond airports to office buildings and stadiums.
The system notonly contains significant security and privacy flaws, it also createsthe risk that people may eventually have to pay
for an unregulated,privatized ID card simply to enter an office building.
Spotlight on Surveillance:
http://www.epic.org/privacy/surveillance/spotlight/1005/
EPIC's Passenger Profiling Page:
http://www.epic.org/privacy/airtravel/profiling.htmlRecent Poll Shows Widespread Concern for Consumer PrivacyA recent CBS/New York Times poll shows that Americans are increasinglyworried
about their personal information being collected and shared byprivate companies. 52% think the right to privacy is under seriousthreat,
and another 30% think it has already been lost. Only 16% thinkit is still safe. The poll also reveals that 55% were very concernedabout
having personal information stolen, and another 34% were somewhatconcerned. Financial institutions were seen as the biggest threat
toprivacy, with half of the respondents naming banks and credit cardcompanies as the source of the greatest threat to privacy. The
federalgovernment was the primary privacy threat seen by 14%. 68% ofrespondents felt that the federal government should be doing
more toprotect their privacy. Respondents were not asked about state or localgovernments.
EPIC's Public Opinion and Privacy Page:
http://www.epic.org/privacy/survey/default.html
EPIC Comments on ICANN WHOIS ProposalEPIC has filed comments with the Internet Corporation for Assigned Namesand Numbers (ICANN) on
its new WHOIS policy. Under ICANN's currentpolicies, those registering domain names must make public their contactinformation via
WHOIS. But under many local and national laws, thisinformation is private. The Task Force now recommends that registrarsbe allowed
to request exceptions to the ICANN policies if they can showa conflict with local or national laws. The EPIC comments support thischange
but also urging far more comprehensive and effective policies beexplored and implemented.
EPIC's Comments to ICANN:
http://forum.icann.org/lists/gnso-whoisprivacy-cmts/msg00007.html
ICANN WHOIS Task Force Report:
http://gnso.icann.org/issues/whois-privacy/tf-prelim-rpt-12sep05.htm
EPIC's WHOIS Page:
http://www.epic.org/privacy/whois/
Senate Adds Unrelated DNA Collection to Violence Against Women ActA measure that would allow the collection of DNA from any persondetained
or arrested by law enforcement was attached to the ViolenceAgainst Women Act. The amendment, unrelated to the Act, would allow lawenforcement
to collect DNA even from those not convicted or charged withany crime. The DNA would then be added to a federal DNA database.
CODIS currently includes the DNA only of those who have been convicted,indicted, or charged with crimes.
Text of the bill (DNA Fingerprint Act is under Title X):
http://thomas.loc.gov/cgi-bin/query/z?c109:S.1197:
California to Track Parolees, Probationers by GPSCalifornia Gov. Arnold Schwarzenegger signed legislation Tuesday thatwill allow counties
and the state to track people on probation orparole by attaching global positioning system devices to theirankles. Each device costs
about $9 per day to operate and can beassigned by probation officers without a judge's order. Californiahas 115,000 parolees and
250,000 on probation.
California Legislative Information on the bill (SB 619):
http://www.epic.org/redirect/SB619.html
Homeland Security's Privacy Officer Steps DownOn September 29th, Nuala O'Connor Kelly stepped down as the ChiefPrivacy Officer at
the Department of Homeland Security. The position wascreated in an attempt to safeguard privacy rights at DHS. Although civilliberties
groups praised Ms. O'Connor Kelly for her work, which includedcalling attention to several privacy breaches at DHS, they also notedthat
the position of Privacy Officer lacked the independence necessaryto truly protect Americans' privacy. Ms. O'Connor Kelly leaves DHS
totake a position as head of privacy issues at General Electric. MaureenCooney, Ms. O'Connor Kelly's former chief of staff, has been
namedacting director.
Department of Homeland Security Privacy Office:
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0338.xml
[7] EPIC Bookstore: Dan Tynan's "Computer Privacy Annoyances"
Dan Tynan, Computer Privacy Annoyances: How to Avoid the MostAnnoying Invasions of Your Personal and Online Privacy (O'Reilly 2005)
http://www.powells.com/partner/24075/biblio/0596007752
Dan Tynan's Computer Privacy Annoyances gets it right: the book providesexcellent advice on how to protect privacy without turning
the readerinto a paranoid. The book has one of the best "top ten" steps toprotect privacy I've read. He covers privacy at home,
work, and on theInternets. He also covers privacy in public, an increasingly importanttopic in an age of ubiquitous cameras and
nagging offline requests forpersonal data at retail stores. A prescient section of the bookdiscusses the privacy risks associated
with social network software,systems that many even in the privacy community have adopted.
Oddly enough, O'Reilly (the publisher) stuck a registration card inTynan's book. A careful reader of Tynan's book will learn that
suchproduct registration cards are just marketing tools and should bedispatched to the recycling bin.
-- Chris Jay Hoofnagle
EPIC Publications:
"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.
http://www.epic.org/bookstore/phr2004This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty
countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic
databases, video surveillance, ID systemsand freedom of information laws.
"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
Price:
$40. http://www.epic.org/bookstore/foia2004This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the SunshineAct, and the Federal Advisory Committee Act. The 22nd edition fullyupdates the manual
that lawyers, journalists and researchers haverelied on for more than 25 years. For those who litigate opengovernment cases (or
need to learn how to litigate them), this is anessential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebookThis resource promotes a dialogue on the issues, the outcomes, and theprocess of the World
Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives,
and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations
that wish to become more involved in theWSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
Price:
$40. http://www.epic.org/bookstore/pls2004The "Physicians Desk Reference of the privacy world." An invaluableresource for students,
attorneys, researchers and journalists who needan up-to-date collection of U.S. and international privacy law, as wellas a comprehensive
listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0A collection of essays, studies, and critiques of Internet contentfiltering. These papers
are instrumental in explaining why filteringthreatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/clsThe Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and
researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates
basic rights for consumersand the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price:
$20. http://www.epic.org/bookstore/crypto00&
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption
to law enforcement.
EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under
theFreedom of Information Act.
Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes
[8] Upcoming Conferences and Events
Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry ofGovernment Service’s Access & Privacy Office. October 6- 7,
2005.
Toronto, Ontario. For more information:
http://www.governmentevents.ca/apw2005/
State of Play III: Social Revolutions. Berkman Center for Internet andSociety, New York Law School, Yale Law School. October 7-8,
2005. NewYork, NY. For more information: http://www.nyls.edu/pages/2396.aspEighth World Conference and Exhibition on the Practical
Application ofBiometrics. Elsevier. October 19-21, 2005. Westminster, London, UK.
For more information:
http://www.biometrics.elsevier.com/
Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of"Privacy and Human Rights." October 20-21, 2005, Auditorio AlbertoLleras
Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo deEstudios en Internet, Comercio Electrónico, Telecomunicaciones eInformática
(GECTI), Law School of the Universidad de los Andes, Bogota,Colombia, Computer Professional for Social Responsibility-Peru(CPSR-Perú).
For more information:
http://www.thepublicvoice.org/events/bogota05/default.html.
Cryptographic Hash Workshop. National Institute of Standards andTechnology, Computer Security Division. October 31-November 1, 2005.
Gaithersburg, MD. For more information:
http://www.csrc.nist.gov/pki/HashWorkshop/index.htmlFirst International Conference on Digital Rights Management: Technology,Issues,
Challenges, and Systems. Telecommunications and InformationTechnology Research Institute (University of Wollongong), InternationalAssociation
for Cryptologic Research, IEEE Task force on InformationAssurance. October 31-November 2, 2005. Sydney, Australia. For moreinformation:
http://www.titr.uow.edu.au/DRMTICS2005/
6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch
(University of Waterloo). November 3-4, 2005. University ofToronto. For more information:
http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html12th ACM Conference on Computer and Communications Security.
Associationfor Computing Machinery: Special Interest Group on Security, Audit, andControl. November 7-11, 2005. Alexandria, VA. For
more Information:
http://www.acm.org/sigs/sigsac/ccs/CCS2005/
The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:
http://www.itu.int/wsisInternet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: http://www.icann.org
Subscription Information
Subscribe/unsubscribe via web interface:
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_newsBack issues are available at:
http://www.epic.org/alertThe EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (link toother databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription
information."
About EPIC
The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus
publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record
privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see http://www.epic.org orwrite EPIC, 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible.
Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute
online at:
http://www.epic.org/donateYour contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation
of encryptionand expanding wiretapping powers.
Thank you for your support.
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2005/21.html
